HP printer loophole permits data harvesting [Update: HP responds]

Certain HP printers could be remotely persuaded to collect confidential information or even cause physical damage, researchers have demonstrated, with a covert reprograming hack causing them to overheat and present a possible fire hazard. The government and industry funded research team at Columbia University were able to tweak an official HP management tool to include malicious programming in with a regular print job, MSNBC reports, allowing them to coax some LaserJet printers into overheating their fuser.

Update: HP has issued us with a statement; you can find it after the cut.

That, in the demo, built enough heat to cause paper to brown and begin to smoke, before a thermal switch came to the rescue. Whether that would always be the case is unclear. [HP says the thermal breaker would automatically kick in, and could not be overcome by malicious firmware.] However, it’s arguably less destructive implementations that could be more worrying, for instance reprograming the printers to send copies of any print jobs they receive to a third-party via their network connection.

In that way, corporate spying could be facilitated, with a business’ own printer hardware sharing their confidential documents. The hacked firmware can be installed by printing a document with the tweak embedded – such as by sending a file attached to an email for someone to print – but some printers can also be used via the internet and so might be open to remote modification.

Once tampered with, no outward indication of the changed status is given, leaving owners unaware of the security implications. The reprograming itself takes just 30 seconds, and PC anti-virus and malware software isn’t set up to scan printer hardware.

HP was made aware of the flaw prior to the researchers going public, though disagrees with some of the conclusions – and the extent of the issue – that the Columbia team have identified. For instance, it claims that digital firmware signing and limits around what can trigger updates mean the chances of a printer being compromised are considerably lower. Still, the nature of embedded systems like those at the heart of a printer and other internet-connected devices mean they’re expected to be increasingly the weak spot of network security.

Update: HP has given us the following statement, which is claims addresses wide-spread “inaccuracies in coverage related to printer security.” Understandably the firm is particularly keen to put any overheating issues into context, though there’s also the promise of a firmware upgrade that will address the loophole the Columbia University researchers have identified.

We’re following up with HP for a list of the impacted printers, as well as a timescale for the firmware update.

HP Statement:

Today there has been sensational and inaccurate reporting regarding a potential security vulnerability with some HP LaserJet printers. No customer has reported unauthorized access. Speculation regarding potential for devices to catch fire due to a firmware change is false.

HP LaserJet printers have a hardware element called a “thermal breaker” that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability.

While HP has identified a potential security vulnerability with some HP LaserJet printers, no customer has reported unauthorized access. The specific vulnerability exists for some HP LaserJet devices if placed on a public internet without a firewall. In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade.

HP is building a firmware upgrade to mitigate this issue and will be communicating this proactively to customers and partners who may be impacted. In the meantime, HP reiterates its recommendation to follow best practices for securing devices by placing printers behind a firewall and, where possible, disabling remote firmware upload on exposed printers.

HP will continue to educate customers about security risks and the features available to address them, and take proactive steps to maintain the security of devices in the field. HP Imaging and Printing Security Solutions work directly at the device and on the network to protect information at rest and in motion, and to prevent unauthorized access.